Hackers will know what you’re wearing

You purchased your clothes, you're wearing your clothes, but now someone else 0wns them.

Self-reliant clothing retailer, American Apparel, has added some technology into its LA based manufacturing process.  It began placing radio frequency identification (RFID) tags on its clothing line in order to improve inventory management and sales floor product availability.  The NYC pilot store trial was a success, adding efficiency and reducing operational performance time.  Their recent purchase of more than a million new RFID tags will be used to outfit all 17 locations in NY, with future plans for deployment to the remaining 128 North American locations.

The RFID tags consist of two components, an integrated circuit (IC) and an antenna.  The IC performs the storing and processing of data, while the antenna is used to transmit and receive signals.  When a customer purchases an item, the tag information is acquired by an RFID reader.  Equipped with a frequency specific antenna, the reader passes the tag's information, usually a 96-bit number, to a networked computer system containing the database inventory software.  Once registered in the database, a message is sent to the stock room to notify staff of the purchase.  When the item is replaced on the sales floor, the tag is read, and the inventory tracking software is updated.  This process is also implemented at the main shipping and distribution centers.

At the trial store, the RFID tags were removed from products at the time of purchase.   However, when they expand its use to the remaining locations, the tags will be left on the purchased items.  This move will likely raise numerous privacy concerns for consumers.

The use of RFID tags in retail products, specifically clothing, is nothing new.  Italian fashion design company Prada, tested its use with mixed results in 2002.  To date, Benetton, Levi Strauss, American Eagle, and even used clothing, have experimented with RFID.  In December of 2006, fashionGroup RFID was formed, an organization aimed at addressing issues and creating standards for RFID adoption by clothing manufacturers.   Companies such as Checkpoint, specialize in integrating RFID technology into clothing labels and product tags.

The inevitability of RFID's acceptance is evident from its current prevalence and its emerging product growth.  Electronics manufacturer Hitachi, helped broaden the range of potential RFID applications in 2006 when it developed one of the world's smallest contactless IC chips, the µ-Chip, measuring only 0.15 mm x 0.15 mm, and 7.5 µm thick.  The digital Post-It notes used in the "Qucikies" project, by MIT PhD student Pravan Mistry, relies on RFID tags for note location.  Motion Computing's new tablet PC, the F5, contains an internal RFID reader, along with its own integrated passive RFID tag.  Devices, such as the Loc8tor, help consumers track their "personal inventory", by placing RFID tags on keys, remotes, and other frequently misplaced items, and provide auditory feedback regarding their location through a handheld unit.

Advances in radio frequency communication have been embraced by many, who continue to explore its potential applications.  A large-scale research study called the RFID Ecosystem Project is currently underway at the University of Washington.  Using the UW Computer Science and Engineering building and a team of participants, hundreds of RFID readers and thousands of tags wirelessly monitor daily activity, in hope to better understand the social implications of trading technological utility for privacy.

Examining some of the recent incidents and events involving RFID technology has raised questions about its readiness for commercial use.  At this year's BlackHat DC conference, Adam Laurie demonstrated  the ease in which he could ascertain the information off of credit card RFID chips.  In March of this year, the Chaos Computer Club in Germany cracked the encryption scheme of NXP's Mifare Classic RFID chip, used in several smartcard applications.  Last month, RFID development company, Mojix, introduced a new technology capable of reading RFID tags from 600 ft away.  Recently, a group of researchers from Georgia Tech designed a platform for simultaneous analysis of up to 256 RFID tags.

These kinds of developments have left many concerned about the privacy issues related to RFID technology.  Attempts at federal legislation proposing its use in passports and driver's licenses have been met with public resistance.  Consumer advocates question the retail industry's use of RFID tags to track purchasing behavior.   In response, several websites exist that demonstrate how to attack, kill, and destroy RFID chips.

Extrapolating the security and privacy issues of RFID, combined with its growing usage in the clothing retail industry, provides a scary look at the potential exploits of the near future.

Let's assume that the use of RFID tags in the clothing manufacturing process becomes an industry standard.  Unlike its potential use in credit cards or passports, there is little financial incentive to employ strong security with inventory tracking systems.  As a result, the RFID tags embedded in clothing could be read by technologically savvy individuals with devious intent-hackers.

The end result?  Embarrassment at the very least.

I imagine that most people wouldn't want the details of their clothing accessible by the public.  With the right technology someone could find out your dress size, waist size, where and who purchased the item, and how much you paid.  If that doesn't sound too bad, how about discovering the size, brand, age, and type of undergarments one is wearing?  Assuming one is wearing any at all.

That's a little more information than I care to share with the public.

All those years I questioned the sanity of those wearing the tin-foil hats and now I may be the one wearing the aluminum suit.

My measurements can be read at: greyhat@computer.org

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022